Re: w00t 08

[Dean Pierce <piercede () pdx edu>]

It's just too easy to game the system in academia.  Professors are rated 
on the number of papers referencing them, and also how well their PhD 
students are doing.  Most universities require students to have at least 
a few journal papers.

The way I have seen it, it normally works like this:
Professor Alice and professor Bob are tenured professors at their 
respective universities.  Alice and Bob know each other because they are 
in the same field, so they attend the same conferences.

Alice and Bob sit as reviewers for various journals.
Alice has a PhD student, Carol, who needs to get a paper published.

To get the paper published, Carol is told to put Alice as the first 
author, add as many references at the end as possible to Bob's papers, 
and submit it to Bob's journal.  It is also assumed that Bob's students 
will be allowed to publish in Alice's journal.

*** the result ***
Bob gains references, which elevates his position at the university.
Alice's PhD student gets published, which elevates her position.
Carol gets her PhD.

*** the problem ***
If Bob does not recognize the first author, there is no way he is going 
to take the paper seriously.
If the paper does not reference any of Bob's papers, Bob has no 
incentive to allow the paper to be published, and the paper is rejected 
with "author does not know the literature".

I have seen scenarios where Alice is still the first author, but Carol 
doesn't put Bob as a reference.  Bob then complains to Alice about this. 
  Alice tells Carol to put Bob as a reference, they resubmit the exact 
same paper, and the paper is accepted.


*** punchline ***
The whole concept of "academic peer review" is a giant political circle 
jerk.  When someone complains about lack of "peer review", they are most 
likely complaining about someone "not going through the proper channels".


With all that said, I agree completely that computer science journals 
have become little more than software catalogs, full of nothing but 
blatant advertising.  If anyone wants to hear me rant for hours on how I 
despise people like Dawson Engler, I'll be flying into Vegas Tuesday 
afternoon.  Send me an email and I'll buy you a drink :-)

Imagine of a physics journal did that.  Imagine if they published papers 
along the line of "We just created a zero point energy system (trust 
us), and it was damn awesome!  Contact us if you want to license it from 
us for a nominal fee".

In my opinion, if they do not release the code that can reproduce the 
numbers they are showing off, then they are full of shit and should not 
be published.


The thing I love the most about the security community is that the 
researchers are only as good as the last thing they broke.  You can't 
get "tenure" in the security community.  It doesn't matter if you were 
the shit 4 years ago, because that means nothing now.  If you can't keep 
up with modern advances, you get left behind.

    - DEAN


nnp wrote:
> On Sun, Aug 3, 2008 at 3:30 AM, root <root_ () fibertel com ar> wrote:
> > Dave Aitel wrote:
> > > These are not the papers you're looking for.
> > > http://www.usenix.org/event/woot08/tech/full_papers/
> > >
> > > Seriously, there's nothing there to scare an network offense
> > > professional. I don't think it's w00t's fault, either. I think the
> > > research communities are diverging into public and private, as this
> > > research gets more expensive to do.
> > >
> > > USENIX may not be the place for academic treatment of offensive security
> > > research. A friend of mine wonders if there's any future for academic
> > > treatment of the subject at all. He wonder's wistfully of course, since
> > > he likes academia.
> > >
> > > Anyways, either be scary or be silly. There's no middle ground here.
> > > It's a fundamental truth in this field: You're either in, or you're out.
> > >
> > > -dave
> > Commercial security conferences don't have great academic value because
> > they are not peer reviewed (well, not reviewed by academic people) and
> > there are other much important academic journals like ieee, etc. that in
> > theory don't accept money in exchange for the publication of an article.
>
> I'd like to get everyone else's opinion/experiences with articles from
> so called 'peer reviewed' journals like IEEE and the rest. I've spent
> the past 8 weeks or so working on a project as a research monkey at my
> uni and spent the first few weeks pouring over journals etc. When it
> actually came time for implementation though I discovered a huge array
> of problems that had not been mentioned in the articles (and were
> presumably ignored as acceptable sources of error). When I contacted
> the authors requesting to see their software so I could determine if
> they had solutions to the problems I was either ignored or blown off
> with excuses like "we currently don't have the resources to make that
> available". In my opinion this brings all of their results into
> question when outsiders don't know exactly what sources of error they
> deemed acceptable. If some academics aren't bothering to release their
> software and their results are questionable then what purpose do they
> serve other than to fill pages in journals?
>
> So my question basically boils down to, how much reviewing actually
> goes on? i.e Do they run the software? Do they examine code or
> formulae? Or is it just a case of 'well it looks right'?
>
> > Believe me, i had a hard time convincing my thesis advisor of the
> > importance of being a speaker on Blackhat...
> >
> > Anyway, cryptography and cryptanalysis (offensive or not) is certainly
> > dominated by academia, and I don't see that changing on the future.
> > _______________________________________________
> > Dailydave mailing list
> > Dailydave () lists immunitysec com
> > http://lists.immunitysec.com/mailman/listinfo/dailydave
> >
> >
> > _______________________________________________
> > Dailydave mailing list
> > Dailydave () lists immunitysec com
> > http://lists.immunitysec.com/mailman/listinfo/dailydave
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave